On 09/27/2013 06:29 AM, Lance Lassetter wrote:
On Thu, Sep 26, 2013 at 10:12:00AM -0400, Eric H. Christensen wrote:
On Wed, Sep 25, 2013 at 01:07:59PM -0500, Lance Lassetter wrote:
Firewalld is just not workable enough for me. For instance I need to have
quirky netfilter rules to make my squid proxy setup to work properly. There is
no easy way to do this with firewalld. Also I set up an iptables queue so that
netfilter supports suricata ips mode. This also, no easy way...
Netfilter is just so diverse and firewalld seems to strip a lot of that
diversity away.
What about the idea that people who want to write their own iptables custom
scripts that can be, after wiriting the script and implementening it, a smart
way for the script to be imported...the whole script, into firewalld. Last I
tried, my nat rules weren't compatible with firewalld. Like maybe a simpe
iptables-save then a firewalld-save or the like. Then maybe ask if to import
it into firewalld's 'home', 'work', 'public', etc.
It sounds a bit like you are trying to use firewalld on a server. I would not
recommend using firewalld for anything but client boxes and, specifically,
client boxes with simple rules. If you are using this on a server I would
uninstall firewalld and not use the complexity that it adds to iptables but
rather just use iptables (and ip6tables). There is nothing wrong with using
your scripts on iptables and not using firewalld. You seem to know how to
configure iptables which is what firewalld aims to fix for people that don't.
-- Eric
I thought in the Fedora world firewalld was supposed to replace iptables completely? So
firewalld is just for cliet machines? Then IMHO this needs to be stated explicitley,
say, upon launch of firewalld? Or something.... I saw a lot of confusion at the first
launch of firewalld because of the complete replacement factor and "How am I going
to do this on a server?" If it is to be a complete replacement (which maybe it
should be for the simplification of Netfilter tobl the end user), what about a wizard
upon launch as well as the flexibility of importing complex rulesets into firewalld no
matter what?
FirewallD has never been intended only for clients. AFAIR it even
started as solution for servers. The aim of FirewallD has already very
nicely described Mirek in
https://lists.fedoraproject.org/pipermail/security/2013-September/001667.html
https://lists.fedoraproject.org/pipermail/security/2013-September/001669.html
--
Jiri
--
security mailing list
security@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/security
